diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index 8b43cd360b3..dfce5f12d6c 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -1,7 +1,6 @@
 name: CodeQL
 
 on:
-  push:
   pull_request:
   schedule:
     - cron: "0 2 * * *"
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index efc232631ba..882fb9205cb 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -9,7 +9,7 @@ on:
 
 jobs:
   release-please:
-    # TODO(SNOW-1965855): Uncomment after adjusting secrets for release `environment: release`
+    environment: release
     runs-on: macos-latest
     steps:
       - uses: actions/github-script@v6
diff --git a/.github/workflows/workflow-rules.yml b/.github/workflows/workflow-rules.yml
new file mode 100644
index 00000000000..1d8fcafefa8
--- /dev/null
+++ b/.github/workflows/workflow-rules.yml
@@ -0,0 +1,21 @@
+name: Workflow rules
+
+on:
+  pull_request:
+
+jobs:
+  check_workflows:
+    name: Check workflows
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Check for pull_request_target
+        run: |
+          if grep -r --exclude="workflow-rules.yml" "pull_request_target" .github/workflows/; then
+            echo "pull_request_target found in workflow files"
+            exit 1
+          else
+            exit 0
+          fi